A cybersecurity researcher has located a critical vulnerability in devices equipped with the ESP32 chip. LimitedResults reported that the Wi-Fi and Bluetooth chipset can be exploited to completely bypass all security measures. This opens up the device for the injection of malware, which can never be removed.
In an investigation by LimtedResults, the researcher was able to exploit flaws in Secure Boot and Flash Encryption. The goal was to “achieve a persistent exploit, bypassing the Secure Boot and Flash Encryption.”
The issue, called CVE-2019-17391, targets the devices set in Full Secure Mode (Flash Encryption + Secure Boot). LimitedResults noted that this is the maximum security level which has been recommended by chipset solutions Expressif Systems.
Ultimately, this fatal exploit “allows an attacker to decrypt an encrypted firmware.” This will allow the hacker to create their own firmware, which will be made valid as they will be able to extract the Secure Boot Key (SBK). Then, they can encrypt the new firmware to replace the original. The process is not reversible and is permanent.
The researcher noted that “this attack cannot be patched by the vendor on existing devices” and that it is a forever-hack. The investigation also noted that there is no way to fix the issue without revising hardware components.
LimitedResults also worked with Expressif for responsible disclosure.
Expressif confirmed the legitimacy of the investigation. According to its advisory, the issue concerns fault injection and secure boot. Expressif explained that an attack can use fault injection to “physically disrupt the ESP32 CPU.” This allows them to bypass the Secure Boot authentication when turning on devices. Once bypassed, an attacker can boot unverified code straight from flash.
Limited Results warned users that all devices with ESP32 are open to this exploit. This means that millions of devices currently being used and sold are vulnerable.
In finding a solution to this flaw, Expressif said that devices can be protected using Flash Encryption and Secured Boot. To enable this, “a firmware change must be made to permanently enable Flash Encryption in the field.” Users are also advised to upgrade ESP-IDF to 3.0.9, 3.1.6, 3.2.3 and 3.3.1 once these become available.
ESP-IDF version 4 is also free from this vulnerability. These upgrades can be received via on-the-air updates.
However, more tech-savvy users who do not want to wait for new ESP-IDF releases can patch ESP-IDF version 3.2.x.